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Abstract 

The confidentiality of a patient's information has 
been sacred since the days of Hippocrates, the Father of 
M edicine. Today, however, merely taking an oath to respect 
a patient's privacy has been overshadowed by regulations 
governing how certain healthcare establishments handle an 
individual’s health information on the web. Consequently, if 
a healthcare organization employs electronic mail as a means 
of communicating medical and/or health data to consumers, 
providers, and other appropriate parties, it must ensure 
such information is safeguarded, since using the Web poses 
concerns about the privacy and security of an individual’s 
information. E-mail between patients and physicians (orother 
health care providers) must be secured under the privacy rule 
of the Health Insurance Portability and Accountability Act; 
when transfer of protected health information (PHI) occurs, 
even if private, such a communication falls under H IPAA’s 
guidelines. In today’s electronic age, it is increasingly likely 
that protected health care information will be subject to 
fraud. HI PA A addresses the privacy and security of health 
care information in its Privacy and Security Rules, which 
enforce standards applied to PHI. This paper will focus on 
HIPAA’s role in e-mail communications in health settings, 
particularly as it relates to the privacy of the information 
exchanged between doctor and patient. 

I ntroduction 

Successful communication between patients and their 
doctors has, for decades, been established as playing a 
key role in the provision of quality health care (Bertakis, 
1977), contributing to greater patient involvement during 
office visits, improved compliance with therapeutic 
recommendations and clinical outcomes, and high rates of 
patient and physician satisfaction (Rao, Anderson, Inui, & 
Frankel, 2007). It has become clear that successful patient- 
physician communication is not limited to face-to-face 
contact; three-in-four ambulatory medical contacts are made 
by telephone (Ries, 1987), and the vast majority of medical 
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problem-related telephone calls can be adequately managed 
on the telephone - without a physician having the need to 
see his/her patient (Curtis, 1988). 

U se of the I nternet has increased dramatical ly, and many 
individuals use electronic mail (e-mail) to communicate with 
their family and friends about health issues (Baker, Wagner, 
Singer, & Bundorf, 2003; Liederman & Morefield, 2003; 
Pal, 1999). A sizeable percentage of patients - 85% in one 
study - indicated that e-mail is a good way to communicate 
with physicians (Neill, M ainous, Clark, & Hagan, 1994) and 
9 in 10 wish they had the ability to do so (Harris Interactive, 
2002). In reality, however, very few patients acknowledge 
that they actually have communicated with their physicians 
electronically. In a study by Sittig, King, and Hazlehurst 
(2001), only 6% of patients had ever sent an e-mail message 
to their physician/provider; similarly, M oyer, Stern, Dobias, 
Cox, and Katz (2002) reported only 10.5% of e-mail users 
had ever done so. And whilegreaterthan 90% of physicians 
are usi ng computers for personal/professional reasons, as few 
as 7% admit exchanging e-mail with their patients (Lacher, 
Nelson, Bylsma, & Spena, 2000); only -30% of pediatric 
doctors have been known to use patient-physician e-mail 
(PPEM) (Rosen & Kwoh, 2007). 

Such studies suggest that e-mail has the potential 
to improve the quality of health care, encourage patient- 
physician communication, and enhance professional 
relationshipsamong physicians. Despitethispromise, e-mail 
communication is underused in the medical setting due to 
important legal and ethical questions (D eV i 11 e & Fitzpatrick, 
2000). At the heart of this matter is the issue is the privacy 
of a patient’s medical records. Privacy and security concerns 
increase reluctance, among physicians and patients alike, to 
communicate via e-mail (Ellis, Klock, M ingay & Roizen, 
1999; M oyeretal., 2002; Sittig, King, & Hazlehurst, 2001). 
N on-secure messages (i.e., those that are unencrypted) may 
be intercepted and read by unauthorized individuals, e-mail 
may be left open on the screen of a computer, allowing 
unauthorized individualsto see them, and computerterminals 
may be shared at work or at home, minimizing privacy 
(Freed, 2003). Asa result, creating an e-environment that is 
secure and reliable has become a mission-critical element 
of each and every practice in the healthcare industry, from 
those providing patient care to those who oversee the daily 
management of business operations (Kowalczyk, 2004). 

Enter the Health insurance Portability and Accountability 
Act (HiPAA) of 1996 - P.L. 104-191 (U.S. Congress, 
1996). Originally sponsored by Senators Edward Kennedy 
and Nancy Kassebaum, HIPAA was passed to protect 
health insurance coverage for workers and their families 
when they change or lose their jobs. At the same time, 
Congress saw the need to address growing public concern 
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about the privacy and security of personal health data, so 
the task of writing rules on privacy eventually fell to the 
Department of Health and Human Services (DHHS); after 
several modifications, theHIPAA Privacy Rule was issued 
(United States Department of Health and Human Services 
[USSDHHS], 2003). The law requires health care entities 
(including hospitals, doctors, health plans, labs, pharmacies, 
and billing/claims agents) to protect the privacy of a patient’s 
e-health information, the public key that allows protection 
against hackers (Austin, 2006). HIPAA sets the gold standard 
for privacy in the electronic age, but to what extent is patient 
confidentiality really protected, especially as it relates to 
e-mail communication? W hat benefits and shortcomings are 
therefor health care consumers? Who is covered by HIPAA? 
What is the scope of coverage - i.e., what is covered by 
HIPAA and whatis not; who iscovered by HIPAA and who 
is not? What are the implications for the future? 

This paper will focus on HIPAA’s role in e-mail 
communications in health settings, particularly as it relates 
to the privacy of the information exchanged between doctor 
and patient. Specifically, the paper presents a brief overview 
of HIPAA, and addresses the privacy and security standards 
that appear in the legislation; in addition, the paper reviews 
how HIPAA addressesthesecurity of e-mail communication 
and the fundamental importanceof encryption to health care 
consumers. Finally, the paper discussesthe bill's implications, 
including concerns related to security, availability, and 
protection of information. Among the chief goals in writing 
this paper is to foster a fuller understanding of HIPAA and 
how it relates to the protection of health information in an 
electronic age. 

Overview of HIPAA 

T he H ealth I nsurance Portabi I ity and A ccountabi I ity A ct 
of 1996 implemented new rules for health care consumers 
and providers; the legislation mandates compliance with its 
Privacy and Security Rules. HIPAA lawsapply to a covered 
entity (healthcare providers, clearinghouses, and health 
plan payers that meet certain conditions). In essence, most 
providers are covered entities if they employ an electronic- 
based office - meaning that they function by storing/ 
exchanging health information via "...the internet (wide- 
open), extranet (using internet technology to link a business 
with information accessible only to collaborating parties), 
leased lines, private net-works, and the physical movement 
of removable/transportable electronic storage media” (45 
CFR, Part 160, 1996). 

HIPAA e-mail security applies specifically to PHI, 
not simply personal information. PHI is any individually 
identifiable health information about health status, the 
provision of health care, or payment for health care. This is 
often interpreted rather broadly and includes any part of a 
patient's medical record or payment history that can be"... 
transmitted by electronic media; maintained in any medium 
described in thedefinition of electronic media; ortransmitted 
in any other form or medium" (45 CFR, Part 160, Subpart 


A, Section 103,1996). Assuch, all administrative, financial, 
and clinical data on a patient are considered to be PHI and 
are to be treated with special care (seeTable 1). 

HIPAA mandates the implementation of administrative 
and technical rules (or standards) in five areas: electronic 
transaction standards, standard code sets for information, 
unique health identifiers for employers and providers, 
security and digital signatures, and privacy of individually 
identifiable health information. Healthcare organizations 
are obliged to establish both policies and procedures to 
protect the confidentiality of PHI with regard to their 
patients. HIPAA provides patients with greater control over 
how their PHI is used and disclosed. In essence, HIPAA 
seeks to establish standard mechanisms for electronic data 
interchange, security, and confidentiality of all healthcare 
related data and communication (including e-mail). There are 
two main compliancecomponents under the Administrative 
Simplification provisions of the law: the Privacy Rule and 
the Security Rule. Health care providers who electronically 
transmit health information in connection with certain 
transactions must comply with both these rules (American 
Health Information M anage-mentAssociation, 2003). 

Privacy and Security Standards 

The HIPAA Privacy Ruletook effect on A pri I 14, 2003. 
It regulates the use and disclosure of certain information 
held by covered entities and sets standards for protecting the 
rights of patient information. Covered entities must follow 
the laws that grant each individual the right to the privacy and 
confidentiality of their health information (i.e., information 
on health status, provision of health care, or payment for 
health care that can belinked to an individual) (Terry, 2009). 
Stated another way, public health information is subject to 
an individual’s rights as to how such information - oral, 
written, or electronic - is used or disclosed (45 CFR, Part 
164,1996). 

Taking the Privacy Rule one step further, the DHHS was 
charged with developing the Security Ruleto cover electronic 
PHI (ePHI).To this end, thesecurity rule ensures a minimum 
level of secuity so thatePHI remains private and protected; 
it outlines a broadly flexible model for security management 
across the health care industry, and allows heightened 
protection against hackers, resulting in more secure, reliable 
information systems that help health data from being lost or 
accessed by unauthorized users (Austin, 2006). A key point 
at which this occurs is direct access to electronic forms of 
protected health information - not limited to purely oral or 
written communication (Burton & Kangas, 2009; Privacy 
Rights Clearinghouse, 2010). 

The Privacy and Security Rules focus on protecting 
health data through information safeguards, and require 
covered entities to implement the necessary and appropriate 
means to secure and protect such data. Additional guidelines 
have been developed that address organizational and 
administrative concerns, along with technical and physical 
safeguards to reduce risk (M edem Network, 2006). 
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Table 1 


List of 18 Identifiers That M ust Be Treated With Special Care According to HIPAA 


# Identifiers 


1 N ames 

2 All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, 
and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current 
publicly available data from the Census Bureau: 1) the geographic unit formed by combining all zip codes 
with the same three initial digits contains more than 20,000 people; and (2) the initial three digits of a zip 
code for all such geographic units containing 20,000 or fewer people is changed to 000. 

3 Data (other than year) for dates directly related to an individual, including birth date, admission date, 
discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of 
such age, except that such ages and elements may be aggregated into a single category of age 90 or older 

4 Phone numbers 

5 FAX numbers 

6 Electronic mail address 

7 Social security numbers 

8 M edical record numbers 

9 Health plan beneficiary numbers 

10 Account numbers 

11 Certificate or license numbers 

12 Vehicle identifiers and serial numbers, including license plate numbers 

13 Device identifiers and serial numbers 

14 Web Uniform Resource Locators (URLs) 

15 Internet Protocol (IP) address numbers 

16 Biometric identifiers, including finger, retinal, and voice prints 

17 Full face photographic images and any comparable images 

18 Any other unique identifying number, characteristic, or code (note this does not mean the unique code 
assigned by the investigator to code the data) 


Source: U ,S. Department of Health and Human Services (2003) 


E -M ail C ommunications U nder HI PA A 

In terms of how patient and physician now relate, 
e-mail has transformed communication, treatment, and care; 
miIIions of transactions are processed each day via e-maiI at 
a fraction of the time and costs previously associated with 
hard copies. However, if left unprotected, or unavailable, 
e-mail can interfere with a healthcareorganization's primary 
mission of providing high-quality patient care. 

Within HIPAA, the terms required and addressable are 
used to describe levels of compliance. The term required 
designates full compliance; complying with a given standard 
is mandatory and, therefore, must be followed. When 
addressable is used, a given standard must be implemented, 
unless assessments and in-depth analyses concl ude that such 
an implementation is not reasonable and/or appropriate, 
given the setting; regarding such addressable standards, 
organizations interpret each Security Standard separately and 


deal with each piece independently to determine appropriate 
compliance levels and the needs of the organization (B urton 
& Kangas, 2009). 

T he G eneral R ul es as they apply to these standards reflect 
a technology neutral approach; this means that organizations 
have some flexibility as it pertains to the types of systems 
that they choose to employ and no specific recommendations, 
as long as requirements for protecting e-communication are 
met. Some privacy advocates have argued that this flexibility 
can provide too much latitude to adequately cover the intent 
of the rule. Asa result, three sets of recommendations and 
standards were developed (Burton & Kangas, 2009): 

• Administrative safeguards guide personnel training 
and staff management regarding PHI and require an 
organization to reasonably safeguard (administrative, 
technical, and phys-ical) information and electronic 
systems. 
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• Physical safeguards are implemented to protect 
computer servers, systems, and connec-tions, including 
individual workstations. This section covers security 
concerns related to physical access to buildings, access 
to workstations, data backup, storage, and obsolete 
data destruction. 

• Technical safeguards affect PHI that is maintained or 
transmitted by electronic media. This section addresses 
issues involving authentication of users, audit logs, 
checking data integrity, and ensuring data transmission 
security. 

The American Recovery and Reinvestment Act 
(ARRA) signed into law February 2009 includes new, more 
comprehensive provisions for HIPAA. These clauses are 
in Section D of the bill known as the Health Information 
Technology for Economic and Clinical Care Act (HITECH); 
it provides heightened enforcement of Hi PA A and stiffer 
penalties for privacy and security violations, and sets aside 
billions of dollars to invest in electronic health records (E HR) 
implementation and exchange. 

For those organizations already required to abide by 
HIPAA (the covered entities of HiPAA), HITECH adds: 
mandatory yearly audits by DHHS personnel to ensure 
compliance, explicit fines (up to $1.5 million/year for 
disclosures of protected health information, Business 
A ssociateA greements with vendors and partners (mandatory), 
and reporting requirements (to DHHS and the media) on the 
unauthorized disclosure(s) of protected health information. 
ForHIPAA Business Associates, the bill imposes even more 
stringent changes, including: responsibility for followi ng all 
Privacy and Security regulations with respect to all protected 
health information received and liability for unauthorized 
use or disclosure of protected health information (Cohen, 
2009; Kangas, 2010). 

I mportance of E ncryption for E -M ail C ommunications 

Electronic mail is now fully embedded as a business 
tool in health care organizations, and is likely the top, 
mission-critical application used by a company. E-mail not 
only serves as a communication tool, but also in the transfer 
of sensitive, critical health data; it has become increasingly 
important to provide a secure, robust, and manageable way 
to protect these data. T he technology created for this purpose 
involves encryption,"... the use of an algorithmic process to 
transform data into a form in which there is a low probability 
of assigning meaning without use of a confidential process 
or key" (45 CFR, Part 164, Subpart C, Section 304, 1996, 
p. 15). Stated in a simpler way, encryption is one method 
of rendering electronic PH I unusable or indecipherable to 
unauthorized persons. 

In reality, e-mail transmissions can readily beintercepted 
by those knowing how to do it over the standard Post Office 
Protocol 3 (POP3) protocol used in low-end e-mail hosting 
applications, or in many free e-mail services such as Yahoo, 
M SN, Verizon, etc. Threats do not always come from 


an external source, and are not always intentional; thus, 
messages must be encrypted "...from e-mail endpoint to 
e-mail endpoint..." (Stanley, 2007, p. 3). M ail servers using 
M icrosoft (M S) Exchange have this ability to provide secure, 
en-crypted e-mail. Physicians need to be sure that their 
hosted e-mail accounts are use secure platforms; this ability 
to encrypt achieved by adjusting a few properties in MS 
Exchange-based e-mail accounts, whether using applications 
IikeOutlook andThunderbird, or using web maiI. A djustments 
mustbemadeon both incoming and outgoing servers, which 
are commonly under the I nternet M essage A ccess (IMAP) 
ortheSimpleM ail Transfer (SM TP) protocols. By adjusting 
these properties, e-mail is sent over a Secure Socket Layer 
(SSL), providing a level of encryption impossibleto decrypt if 
the message were to beintercepted. Such encryption ensures 
that, even if e-mail messages were to be intercepted, they 
would be illegible because only the sender and the recipient 
possess the encryption keys to decode the message. M ost 
important, securing e-mail in this way is compliant with 
HIPAA regulations under HITECH (USDHHS, 2009). 

Security risksfore-mail commonly includeunauthorized 
interception of messages en route to recipients and messages 
being delivered to unauthorized recipients. These risks 
are addressed in the Security Rule’s technical safeguards 
(USDHHS, 2005), mainly regarding the following (Figure 
1 ): 

• Person and Entity Authentication. All required 
procedures must be implemented for identification 
verification of entity or party requesting access to 
PHI. This means the identity of the person seeking 
information must be confirmed within the information 
system being utilized. 

• Transmission Security. Addressable data integrity 
controls and encryption reasonable and appropriate 
safeguards. 

• Each healthcareorganization using e-mail servicemust 
determine, based on technologies used for electronic 
transmission of PHI, how the Security standards are 
met. 

• Addressable specifications that include automatic 
logoff, encryption, and decryption. 

I mplications of HIPAA for E -M ail 

The subdivision of the law most relevant to e-mail is 
the rule that requires secure messaging solutions for the 
following key requirements for exchanging PHI over the 
I nternet (Wilson, 2006). It applies encryption, authentication, 
and authorization controlsto e-mail, attachments, web-forms, 
or web-pages to ensure their integrity, and it secures e-mail 
or other data without impacting an organization's existing 
workflow. Policies and middleware work with existing 
content scanning engines, mail servers, or web-servers and 
itapplies compliance protection based on specific terms such 
as patient social security numbers. It also enables data to be 
protected and delivered by securing servers, and extends 
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protection to e-mail after delivery to a recipient's Inbox. It 
provides capabilities to ensure that patient information has 
been properly disclosed in accordance with existing corporate 
policies; italso providesfor integration with an organization's 
existing authentication infrastructure. 

E -M ail Security C oncerns 

Thecomplexity of securing and making e-mail available 
grows every day. For one thing, e-mail has become a de facto 
distribution method in the increasingly sophisticated world of 
viruses, phishing attacks, fraud, spyware, and blended-threat 
techniques. In addition, spam continues to be a pervasive 
problem; the result is lost productivity, wasted network/ 
storage resources, and liability for organizations that are not 
doing what they can to deal with the problem. Finally, the 
diverse and remote nature of most healthcare Information 
Technology (IT) networks poses additional challenges for 
typical IT staff. Ensuring thatthe proper security technology 
is installed on all devices - from desktops to hand-held 
computers to remote e-mail servers - can be a daunting 
challenge (Grove, 2003; Stanley, 2007). 

E -M ail Security and Availability 

Building secure and flexible solutions for a dynamic IT 
environment can pose achallengeforIT groups in healthcare 
organizations, but there are cost-effective ways to achieve 
such solutions. A layered approach is recommended, one 


that starts at the earliest point of entry onto the network, 
through to the end-user and beyond to archiving and storage 
systems. As a first line of defense, security should focus 
on user education and awareness regarding e-mail usage 
policies and best practices. For instance, users should know 
to avoid replying to spam messages, using unsubscribe 
links, following links in suspicious e-mails, opening e-mail 
attachments where there is no clear business relevance, 
or where the intention is suspect (i.e., the attachment may 
contain a virus or vulnerability patch), and paying attention 
to virus hoaxes (Wolf & Bennett, 2006). 

Beyond user education, technology is still needed 
to stop e-mail threats. The most common virus content 
found in e-mail is the product of mass-mailer programs. 
Gateway-based antivirus scanners may be used to identify 
and distinguish mass-mailer threats so they can be removed 
before causing harm. A policy to delete attachments when 
the presence of a suspect extension type is detected can also 
be used. Building a resilient, securefoundation isoftentimes 
just as important as maintaining the security and availability 
of e-mail information. The need to build the infrastructure on 
a resilientfoundation, one that is robust in its ability to meet 
growing demands, resistant to failure, and able to quickly 
recover when failure occurs, is of paramount importance in 
the health care setting. Storage management and clustering 
software are key technologies that can be used to construct 
this scalable e-mail infrastructure (Wolf & Bennett, 2006). 

Addressing availability starts with ensuring protection 
of the e-mail data, utilizing a backup and recovery solution. 
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To minimize the disruption to business operations, backup 
software should offer a single management tool that combines 
all backup and recovery operations, providing management, 
alerting, reporting, and troubleshooting technologies at the 
same time, itisalso important that health care organizations 
take advantage of both tape and disk storagetechnology, with 
its advances in disk and snapshot-based protection, off-site 
media management, and automated disaster recovery. In the 
final analysis, the right storage management solution will 
allow administrators to perform nearly all storage-related 
tasks online without having to take storage offline for the 
purpose of performi ng these regul ar mai ntenance functi ons. 
Clustering technology should be able to mirror data for 
redundancy and automatically move data from failing disks 
to healthy ones to cut the downtime from unplanned events, 
or to quickly move an application from a failed server to a 
healthy one (Wolf & Bennett, 2006) (seeTable 2). 

Implications for the Field 

Performing daily transactions via electronic technologies 
is now accepted, reliable, and necessary as a way of doing 
business for the nation's health care industry, and email 
has emerged as a highly popular communications tool in 
recent years. Its capacity to convey important information 
swiftly and easily has transformed it into a communications 
workhorse(Holz, 2005). Collaborative efforts among health 
care providers have improved the delivery of quality care 
to all patients in addition to the recognized increase in 
administrative efficiency through the effective use of e-mail 
and other types of electronic communication. Asa result, 
electronic communications have become the standard in the 
healthcare industry as a way to conduct business. What's 
more, patients have become more comfortable with e-mai I i ng 
their physician's office to schedule appointments, discuss 
lab results, or request refills on medication; interacting 
with web-savvy patients has become part of the routine 
in a medical practice: real-time authorizations for medical 
services, transcribing, accessing, and storing health records, 
appointment scheduling, and submitting claimsfor payment 
of services provided are examples of how this is done. 
M edicare, and some other insurance payers, also recognize 
and pay for online consultations - known as mouse calls 
(Lowes, 2009) - where the health provider and patient interact 
over the web - i.e., telemedicine has become a larger part 
of the overall picture, particularly in rural areas (Burton & 
Kangas, 2009). 

A s e-mai I seemi ngly enhances every facet of healthcare 
in the 21st Century, the benefits continue to be mitigated by 
security and privacy concerns. E-mail has evolved into a 
mission-critical issuefor individualsand groups in healthcare 
organizations. Asa result, flexible solutions to both security 
and availability must be employed. Given the large volume 
of protected health information in electronic form, Hi PA A 
privacy requirements implicate the security and integrity of 
technological systems and processes; technological security 
must be applied as covered entities use their electronic 


systems to comply with HIPAA’s regulations. Security 
measures must be customized for use in the health care 
industry and will grow more relevant as the trend towards 
electronic storage and maintenance of PHI continues. 

Health educators, particularly thoseworking in medical 
care settings, have a notable role to play as this evolution 
occurs (i.e., until physicians become more comfortable with 
communicating with patients via email). Within medical 
care facilities, health educators tend to work one-on-one 
with patients and their families, in this setting, in addition 
to educating patients about diagnosis, lifestyle change, and 
a host of other issues, health educators traditionally work 
closely with physicians, nurses, and other staff (Breckon, 
Harvey, & Lancaster, 1998). 

Asa result, during this transition period, health educators 
will serve as true patient-physician liaisons, a role for 
which they are in every respect prepared. The Seven A reas 
of Responsibility, the comprehensive set of competencies 
and sub-competencies that define the role of the health 
education specialist (National Commission for Health 
Education Credentialing, Inc., 2011), specifies that health 
educators act i n specifically such a rolefor consumer groups, 
individuals, and health care providers: assessing needs for 
assistance (6.3.1); prioritizing requests for assistance (6.3.2); 
establishing consultative relationships (6.3.4); and defining 
the parameters of effective consultative relationships (6.3.3). 
As it applies to patient-physician e-mail communication, 
this currently works best for health educators employed 
in medical care settings, such as Health Maintenance 
Organizations - Kaiser Permanente uses health educators in 
its company-wide program of secure patient-physician e-mail 
messaging (Zhou, Kanter, Wang, & Garrido, 2010) - but all 
health educators can benefit from a detailed understanding 
of the issue. 

The future may be just round the corner, given recent 
developments. First, and foremost, HIPAA includes 
recommendations - communication safeguards - and a 
profile of risk analysis designed to increase e-security and 
assist in picking a secure e-mail service provider. For those 
in health care settings, administrative, physical, and technical 
safeguards include solutions that meet (or exceed) HI PA A’s 
Security Standards; protect data integrity; and demonstrate 
the delivery of flexible, scalable services. Second, a stricter set 
of safeguards were added to the HITECH section of ARRA, 
requiring agencies to tighten up their in-house e-mail and 
web-hosting functions (Kangas, 2010), and requires a yearly 
audit by the Department of H ealth and H uman Service. This 
portion of the law addresses administrative access to assign 
(or change) user passwords, in-housecontrolsto validate user 
access, audit controls that track user access and file access, 
methods that al I ow access to users based on rol e or function, 
automatic log-off after a specified time of inactivity, and data 
transmission security. It also concentrates on issues related 
to the unlimited attributes of electronic documents or e-mai I 
transfers, ability for encryption, emergency access for data 
recovery, and minimal server downtime. Finally, guidelines 
on secure data backup and storage, secure data disposal, 
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Table 2 


Example of Comprehensive Services and theHIPAA Rules They Satisfy (© Lux Scientiae, Inc.) 


HIPAA Rule 

1. View E-M ail 
with Secure Web- 
M ail, POP, or 
IMAP 

2. Send Email 
with Secure 
Web-M ail or 
SMTP 

3. End-to-End Encryp¬ 
tion with SecureLine 
combined with 1 and 2 

4. Secure 
Collaboration 
(Web Aides) 

Access Control: Unique 

User identification 

V 

V 

V 1 

V 1 

Access Control: Emergency 

A ccess 

V 

V 

V 

V 

Access Control: A utomatic 
Logoff 

V 

V 

V 2 

V 2 

Audit Controls 

V 

V 

V 2 

V 2 

Integrity 

V 3 

V 3 

V 

V 

Person or Entity 
Authentication 

V 3 

V 3 

V 

V 

Transmission Security 
> Integrity Controls 

V 

V 

V 

V 

Transmission Security 
> Encryption 

V 

V 

V 

V 

Device and M edia Controls 
> Data Backups 

V 

V 

V 

V 

Device and M edia Controls 
> Data Disposal 

V 

V 

V 

V 


1 A secure document storage service and use of the SecureLine application for communications may assume that recipients have special 
passwords for their "secure data access certificates" (PGP or S/M IM E). These passwords can be stored in "Escrow," a special secure 
password database if the users so choose. In these cases, passwords can be retrieved in case of emergency or in case of loss. 

2 A secure document storage service and use of the SecureLine application for communications encrypts the data so that only the intended 
recipient(s) can ever view the data. The encryption process also allows the recipient(s) to verify that the data was not altered since it 
was sent or stored. 

3 SSL/TLS solutions encrypt the message during transport to and from the company servers and your personal computer. E-mail sent 
from the Company to external addresses is not necessarily secured without the use of SecureLine (see Solution #3). 

Solution #3 provides complete transport layer and end-to-end e-mail security compatible with any e-mail user anywhere, no matter 
what software he/she may use. 

Source: Burton and Kangas, 2009; USDHHS, 2003. 


user-friendly, web-based access without the necessity of 
third party software, and privacy in not selling or sharing its 
client contact information are provided (Burton & Kangas, 
2009; USDHHS, 2003). 

Conclusions and Recommendations 

Technology security has become increasingly important 
as covered entities use their electronic systems to comply with 
HIPAA’s regulations. The security measures that have been 
adopted - and adapted - for use in the health care industry's 
electronic communication will grow more relevant as the 


trend towards electronic storage and maintenance of protected 
health care information continues, particularly in light of the 
passage of HITECH provisions and regulations. There are 
few studies that document the effectiveness of e-security 
measures; in time, businesses with large volumes of public 
health information in e-form will increasingly comply with 
HI PA A and improve the security and integrity of its systems. 
With this projected improvement, physicians may be more 
likely to e-mail their patients. Future research should be 
conducted to assess physician and patient perceptions, and 
possible concerns, in this area, particularly as it becomes 
more widespread. 
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In addition, there are several other areas of research 
that might warrant future attention. First, the development 
of a tool to measure the success of patient-physician e-mail 
communication; scales and questionnaires could allow for 
self-administration when possible, and include measures for 
different types of healthcare settings. Second, research on the 
predictors of successful physician-patient e-mail messaging; 
conducting studies to understand whatvariables best predict 
successful health outcomes as a result of e-communications 
between physicians, patients, and health educators. Finally, 
develop interventions that promote a greater understanding 
of health information for patients; creating and evaluating 
interventions that are varied according to content, target 
group, and setting. Research in these areas will provide 
important information to assist health practitioners in 
understanding how the secure patient-physician e-mail 
communications improve health. 
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Editor’s Note: The State of the J ournal Coming Soon 

Having served as Editor of The Health Educator since Spring of 2002,1 am fast approaching a decade of service in this capacity. Now that 
nine years have passed and 18 issues have been published, it seems an opportune time to pause for reflection. Such reflection is not to be mere 
cogitation on my part, of course. It's time to seek the Eta Sigma Gamma membership's input on the best means by which to deliver our journal 
and other pertinent issues. 

I have already informally polled the Editorial Associates of our journal for their takes on the pros and cons of eliminating print publishing 
of The Health Educator in favor of an electronic delivery format. Based upon their overwhelming positive response to investigating this option, I 
will seek the input of the membership in the next few months. No decision has been made to go this route; I am merely investigating the options 
we might have at our disposal. At the same time I seek input on this, however, I would like to collect additional information that will give the 
membership a strong sense of the "state of the journal." For instance, how many members actually read one or more articles per issue as opposed 
to those who merely peruse the table of contents? Do members perceive the articles to be useful in their study and practice of health education 
or simply a venue for publication for those who need to publish or perish? 

To accomplish this task I have asked the E ditori al Assistant for The Hea/to Educator, Maureen Liefer, to be involved as her work in formatting 
thejournal will be influenced by results. In addition, I have engaged a PhD student in health education at Southern Illinois U niversity to assist 
with data collection, management, and analyses. While it is likely to be a significant challenge to get a high response from the membership of Eta 
Sigma Gamma, nevertheless, the time has come to make the attempt. Please be looking for and ready to answer a survey in the near future! 
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